can leverage information leaked by compression to recover targeted parts of the plaintext.

BREACH (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) is a category of vulnerabilities and not a specific instance affecting a specific piece of software. To be vulnerable, a web application must:

Be served from a server that uses HTTP-level compression

Reflect user-input in HTTP response bodies

Reflect a secret (such as a CSRF token) in HTTP response bodies

Remediation

The mitigations are ordered by effectiveness (not by their practicality - as this may differ from one application to another).

Disabling HTTP compression

Separating secrets from user input

Randomizing secrets per request

Masking secrets (effectively randomizing by XORing with a random secret per request)